csaf_redhat - rhsa-2024

rhsa-2024_1752

Vulnerability from csaf_redhat

Published

2024-04-10 12:21

Modified

2024-09-16 18:36

Summary

Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update

Notes

Topic

An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps. Security Fix(es): * argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661) * argo-cd: Users with `create` but not `override` privileges can perform local sync (CVE-2023-50726) * argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652) * argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893) * argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.\n\nSecurity Fix(es):\n\n* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)\n\n* argo-cd: Users with `create` but not `override` privileges can perform local\nsync (CVE-2023-50726)\n\n* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)\n\n* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)\n\n* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2024:1752",
        "url": "https://access.redhat.com/errata/RHSA-2024:1752"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html",
        "url": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html"
      },
      {
        "category": "external",
        "summary": "2269479",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479"
      },
      {
        "category": "external",
        "summary": "2270170",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170"
      },
      {
        "category": "external",
        "summary": "2270173",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173"
      },
      {
        "category": "external",
        "summary": "2270182",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182"
      },
      {
        "category": "external",
        "summary": "2272211",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1752.json"
      }
    ],
    "title": "Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update",
    "tracking": {
      "current_release_date": "2024-09-16T18:36:31+00:00",
      "generator": {
        "date": "2024-09-16T18:36:31+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHSA-2024:1752",
      "initial_release_date": "2024-04-10T12:21:14+00:00",
      "revision_history": [
        {
          "date": "2024-04-10T12:21:14+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2024-04-10T12:21:14+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-16T18:36:31+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift GitOps 1.12",
                "product": {
                  "name": "Red Hat OpenShift GitOps 1.12",
                  "product_id": "8Base-GitOps-1.12",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat OpenShift GitOps 1.12",
                "product": {
                  "name": "Red Hat OpenShift GitOps 1.12",
                  "product_id": "9Base-GitOps-1.12",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift GitOps"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "microshift-gitops-0:1.12.1-4.el9.src",
                "product": {
                  "name": "microshift-gitops-0:1.12.1-4.el9.src",
                  "product_id": "microshift-gitops-0:1.12.1-4.el9.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
                  "product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-5.el8?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
                  "product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-4.el9?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "microshift-gitops-0:1.12.1-4.el9.x86_64",
                "product": {
                  "name": "microshift-gitops-0:1.12.1-4.el9.x86_64",
                  "product_id": "microshift-gitops-0:1.12.1-4.el9.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=aarch64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "microshift-gitops-0:1.12.1-4.el9.aarch64",
                "product": {
                  "name": "microshift-gitops-0:1.12.1-4.el9.aarch64",
                  "product_id": "microshift-gitops-0:1.12.1-4.el9.aarch64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=aarch64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=ppc64le"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
                "product": {
                  "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
                  "product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=s390x"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
                "product": {
                  "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
                  "product_id": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/microshift-gitops-release-info@1.12.1-4.el9?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64"
        },
        "product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
        "relates_to_product_reference": "8Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "microshift-gitops-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64"
        },
        "product_reference": "microshift-gitops-0:1.12.1-4.el9.aarch64",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "microshift-gitops-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src"
        },
        "product_reference": "microshift-gitops-0:1.12.1-4.el9.src",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "microshift-gitops-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64"
        },
        "product_reference": "microshift-gitops-0:1.12.1-4.el9.x86_64",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch"
        },
        "product_reference": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64"
        },
        "product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
          "product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        },
        "product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
        "relates_to_product_reference": "9Base-GitOps-1.12"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-50726",
      "cwe": {
        "id": "CWE-269",
        "name": "Improper Privilege Management"
      },
      "discovery_date": "2024-03-14T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2269479"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CD: Users with `create` but not `override` privileges can perform local sync",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2023-50726"
        },
        {
          "category": "external",
          "summary": "RHBZ#2269479",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2023-50726",
          "url": "https://www.cve.org/CVERecord?id=CVE-2023-50726"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726"
        },
        {
          "category": "external",
          "summary": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac",
          "url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978",
          "url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"
        }
      ],
      "release_date": "2024-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1752"
        },
        {
          "category": "workaround",
          "details": "To mitigate the risk of branch protection bypass, remove applications and create RBAC access.",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "CD: Users with `create` but not `override` privileges can perform local sync"
    },
    {
      "cve": "CVE-2024-21652",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "discovery_date": "2024-03-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2270170"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21652"
        },
        {
          "category": "external",
          "summary": "RHBZ#2270170",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21652",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21652"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"
        }
      ],
      "release_date": "2024-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1752"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss"
    },
    {
      "cve": "CVE-2024-21661",
      "cwe": {
        "id": "CWE-567",
        "name": "Unsynchronized Access to Shared Data in a Multithreaded Context"
      },
      "discovery_date": "2024-03-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2270173"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Argo CD that may result in a remote denial of service. The expireOldFailedAttempts function modifies an array while it is being iterated over. This issue may cause an application crash when executed in a multi-threaded environment if two threads interact with the same array simultaneously.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21661"
        },
        {
          "category": "external",
          "summary": "RHBZ#2270173",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21661",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21661"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7"
        }
      ],
      "release_date": "2024-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1752"
        },
        {
          "category": "workaround",
          "details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment"
    },
    {
      "cve": "CVE-2024-21662",
      "cwe": {
        "id": "CWE-307",
        "name": "Improper Restriction of Excessive Authentication Attempts"
      },
      "discovery_date": "2024-03-18T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2270182"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different users, thereby pushing out the admin account\u0027s failed attempts and effectively resetting the rate limit for that account. This enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-21662"
        },
        {
          "category": "external",
          "summary": "RHBZ#2270182",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-21662",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-21662"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d",
          "url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b",
          "url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456",
          "url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454"
        }
      ],
      "release_date": "2024-03-18T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1752"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow"
    },
    {
      "cve": "CVE-2024-29893",
      "cwe": {
        "id": "CWE-400",
        "name": "Uncontrolled Resource Consumption"
      },
      "discovery_date": "2024-03-29T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2272211"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The ArgoCD repo-server component is vulnerable to a denial of service attack, where it is possible to crash the repo server component through an out-of-memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package does not limit the size or time while fetching the data. It fetches and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argo-cd: uncontrolled memory allocation vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
          "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
          "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2024-29893"
        },
        {
          "category": "external",
          "summary": "RHBZ#2272211",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2024-29893",
          "url": "https://www.cve.org/CVERecord?id=CVE-2024-29893"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
          "url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
          "url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
          "url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
        }
      ],
      "release_date": "2024-03-29T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2024:1752"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
            "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
            "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "argo-cd: uncontrolled memory allocation vulnerability"
    }
  ]
}

cve-2024-21662

Vulnerability from cvelistv5

Published

2024-03-18 18:42

Modified

2024-08-01 22:27

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Summary

Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow

References

URL	Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454	x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456	x_refsource_MISC
https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force	x_refsource_MISC

Impacted products

Vendor	Product
argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:linuxfoundation:argo-cd:2.9.0:-:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "linuxfoundation",
            "versions": [
              {
                "lessThan": "2.9.9",
                "status": "affected",
                "version": "2.9.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linuxfoundation:argo-cd:2.10.0:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "linuxfoundation",
            "versions": [
              {
                "status": "affected",
                "version": "2.10.0"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "linuxfoundation",
            "versions": [
              {
                "lessThan": "2.8.13",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21662",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-16T00:19:37.829646Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-16T00:24:27.974Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:27:36.084Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"
          },
          {
            "name": "https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application\u0027s weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application\u0027s brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account\u0027s failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-18T18:42:04.701Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"
        },
        {
          "name": "https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force"
        }
      ],
      "source": {
        "advisory": "GHSA-2vgg-9h6w-m454",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-21662",
    "datePublished": "2024-03-18T18:42:04.701Z",
    "dateReserved": "2023-12-29T16:10:20.367Z",
    "dateUpdated": "2024-08-01T22:27:36.084Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-29893

Vulnerability from cvelistv5

Published

2024-03-29 15:07

Modified

2024-08-02 01:17

Severity

6.5 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Summary

Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server

References

URL	Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3	x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd	x_refsource_MISC

Impacted products

Vendor	Product
argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-29893",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-29T18:59:56.278009Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T19:22:49.108Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:17:58.029Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.4.0, \u003c 2.8.14"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.10"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically,  it\u0027s possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-29T15:07:51.057Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
        }
      ],
      "source": {
        "advisory": "GHSA-jhwx-mhww-rgc3",
        "discovery": "UNKNOWN"
      },
      "title": "Uncontrolled Resource Consumption vulnerability in ArgoCD\u0027s repo server"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-29893",
    "datePublished": "2024-03-29T15:07:51.057Z",
    "dateReserved": "2024-03-21T15:12:08.998Z",
    "dateUpdated": "2024-08-02T01:17:58.029Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2023-50726

Vulnerability from cvelistv5

Published

2024-03-13 20:50

Modified

2024-08-02 22:16

Severity

6.4 (Medium) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Summary

Users with `create` but not `override` privileges can perform local sync in argo-cd

References

URL	Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm	x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978	x_refsource_MISC
https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac	x_refsource_MISC

Impacted products

Vendor	Product
argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-50726",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-14T15:56:02.495015Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:18:02.620Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T22:16:47.265Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
          },
          {
            "name": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.2.0-rc1, \u003c 2.8.12"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. \"Local sync\" is an Argo CD feature that allows developers to temporarily override an Application\u0027s manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-13T20:50:52.245Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
        },
        {
          "name": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
        }
      ],
      "source": {
        "advisory": "GHSA-g623-jcgg-mhmm",
        "discovery": "UNKNOWN"
      },
      "title": "Users with `create` but not `override` privileges can perform local sync in argo-cd"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-50726",
    "datePublished": "2024-03-13T20:50:52.245Z",
    "dateReserved": "2023-12-11T17:53:36.031Z",
    "dateUpdated": "2024-08-02T22:16:47.265Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-21652

Vulnerability from cvelistv5

Published

2024-03-18 17:14

Modified

2024-08-01 22:27

Severity

9.8 (Critical) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss

References

URL	Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv	x_refsource_CONFIRM

Impacted products

Vendor	Product
argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "argoproj",
            "versions": [
              {
                "lessThan": "2.8.13",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.9.9",
                "status": "affected",
                "version": "2.9.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.10.4",
                "status": "affected",
                "version": "2.10.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21652",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-07T15:52:24.341044Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-07T15:52:27.549Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:27:36.044Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application\u0027s brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-18T17:14:02.995Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"
        }
      ],
      "source": {
        "advisory": "GHSA-x32m-mvfj-52xv",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-21652",
    "datePublished": "2024-03-18T17:14:02.995Z",
    "dateReserved": "2023-12-29T16:10:20.366Z",
    "dateUpdated": "2024-08-01T22:27:36.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

cve-2024-21661

Vulnerability from cvelistv5

Published

2024-03-18 18:32

Modified

2024-08-02 15:09

Severity

7.5 (High) - cvssV3_1 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment

References

URL	Tags
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7	x_refsource_CONFIRM
https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208	x_refsource_MISC
https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b	x_refsource_MISC
https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311	x_refsource_MISC

Impacted products

Vendor	Product
argoproj	argo-cd

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T22:27:35.875Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:argoproj:argo-cd:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "argo-cd",
            "vendor": "argoproj",
            "versions": [
              {
                "lessThan": "2.8.13",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.9.9",
                "status": "affected",
                "version": "2.9.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.10.4",
                "status": "affected",
                "version": "2.10.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-21661",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-19T14:24:28.870844Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:09:39.868Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.8.13"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.9.0, \u003c 2.9.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.10.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application\u0027s code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-787",
              "description": "CWE-787: Out-of-bounds Write",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-03-18T18:32:24.871Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311"
        }
      ],
      "source": {
        "advisory": "GHSA-6v85-wr92-q4p7",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-21661",
    "datePublished": "2024-03-18T18:32:24.871Z",
    "dateReserved": "2023-12-29T16:10:20.367Z",
    "dateUpdated": "2024-08-02T15:09:39.868Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Action not permitted

rhsa-2024_1752

Vulnerability from csaf_redhat

cve-2024-21662

Vulnerability from cvelistv5

cve-2024-29893

Vulnerability from cvelistv5

cve-2023-50726

Vulnerability from cvelistv5

cve-2024-21652

Vulnerability from cvelistv5

cve-2024-21661

Vulnerability from cvelistv5

Tags